First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The positive side of risk


Both good and bad things happen. Only managing the potential for failure, in my opinion, is a recipe for failure.

It is essential to consider all the things that might happen, both good and bad, if you are to achieve your objectives.

So how should we talk about the good stuff if we reserve the word ‘risk’ for the bad?

COSO and governance codes like King IV (South Africa) talk about ‘risk and opportunity’, where risk refers to the harmful effect of what might happen and opportunity is the positive side.

I have heard people talk about opportunity being the “other side of the coin” from risk.

ISO 31000:2018 refers to risk as ‘the effect of uncertainty on objectives’; the effect could be either positive or negative. (ISO does not provide a definition of uncertainty in this context. There are several dictionary definitions, few of which work in this context, but the one in Wikipedia is useful: “Uncertainty is a potential, unpredictable, and uncontrollable outcome.” That is consistent with my preference for talking about ‘what might happen’.)

We could use the ISO language, but is that useful when people generally see risk as bad?

If we can’t agree on what the terms risk and opportunity mean, how can we have a constructive conversation?

What does real life have to tell us?

Let’s take the fairly simple example of a CEO starting his day.

He is thinking about the problem that came up late the previous evening and how he should spend his morning.

His current schedule starts at 9:30 am with a 2 hour final review and approval of the company’s next generation product. The project leaders and his key direct reports are meeting in his conference room to confirm that it is on track for timely and quality completion. The product is essential to the success of the company over the next couple of years, especially as its competitors are likely to release similar products at about the same time as the company. A delay or functionality failure would be a disaster.

But, last night the CFO sent him an email with the updated forecast for the 4th quarter (Q4) and full year. Apparently, the company is expected to miss both the Q4 and annual revenue numbers (which he had shared with the analysts only a month earlier) by as much as $10 million. The CEO knows that will disappoint the market and the company’s share price will drop. In addition, his customers will see the shortfall and question whether they should move all or part of their business to a competitor that reports revenue and market share growth.

He knows he needs to understand the situation better. A meeting with both the CFO and the head of sales is needed, so he texts them both and asks that they meet in his office at 8 am.

The CEO is also thinking about what could be done to salvage the situation. He remembers that when he last talked to the head of sales, several large deals were being pursued. Perhaps he could visit a few of those customers; his presence and ability to make a deal might either increase the size of a deal or accelerate one from Q1 of next year into Q4.

The 8am meeting sheds some light on the current situation. His questions elicit:

  • The CFO and head of sales believe there is only a 70% likelihood of achieving revenue goals.
  • There are several deals that are being negotiated, each with a different likelihood of success. Overall, the head of sales says that:
    • There’s a 15% chance that they will miss by $5 million or so. The CFO and CEO agree that this will disappoint the market and the share price will drop temporarily. A good Q1 could bring it back.
    • They could miss by $10 million or even more, and that is also 15% likely. The CFO and CEO deem that unacceptable as the share price would drop substantially and it could be several quarters before it recovered.
    • If the CEO joined him to visit three major customers, including one that afternoon, there is a good possibility that they will be able to bring some large deals to a close in Q4 and hit their numbers. The head of sales believes that the likelihood of hitting the numbers (or better) would increase to 90%, and the possibility of a $10 million miss would drop to only a few percent. The CEO would have to leave the office by 10 am as the customer is a 2 hour drive away.
  • The CFO advises that he should warn the market of the possibility of missing the previously announced numbers by the end of the week (just a few days away) – unless the forecast changes before then.

It is decision time for the CEO.

If he stays with the current schedule, the likelihood of missing the revenue numbers is unacceptable. The board will expect him to act, as long as he doesn’t offer a massive discount to close deals at the cost of Q1 results. In addition, large discounts would set expectations for similar discounts in the future.

But, if he postpones the project review he might avoid the revenue failure.

But, again, if he postpones the project review for a week while he chases revenue, there’s a chance (which he estimates at 20%) that it’s going in the wrong direction and it would take enormous efforts to bring it back.

On reflection, he changes his gloomy estimate from 20% to 5%, because it would only be a week’s delay and he should be able to catch any major defects before they turn into disasters.

So, he has to weigh all the possibilities and make an informed and intelligent decision.

He decides to ask his COO to lead the project review while he visits as many major customers as he can before the end of the week.

Both good and bad consequences may flow from this decision.

Do we call the good ‘opportunities’ and the bad ‘risks’? Should we call all the potential effects ‘risks’?

Certainly, one is not (IMHO) the flip side of the other.

It’s not as if you either have either a risk or an opportunity, a good or a bad potential effect. The decision will have both.

I don’t care what you call them as long as you recognize that the potential effects of uncertainty can be positive, negative, or (most likely) both.

I welcome your comments, good and bad.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.